[Discuss] deadmanish login?

[richard.pieri at gmail.com (Richard Pieri)]

On 2/3/2017 7:38 AM, Kent Borg wrote:
> And if the dictionary has, let's say for round numbers 2048 words, then 
> it takes 2048 attempts to try them all.

You randomly pick the Nth word from your list of 2K words. It happens to
be the 5000th word in my 10K word list. It takes me 5 thousand tries to
stumble upon your password.

You intentionally pick the Nth word from your list of 2K words. It
happens to be the 5000th word in my 10K word list. It takes me 5
thousand tries to stumble upon your password.

How you arrive at N has little to do with the strength of your password
against dictionary and combinator attacks. Password length, which is to
say how many words are plucked from your word list, is what provides
strength using these methods (XKCD, diceware, etc). A problem with these
is that Hashcat on an 8 GPU cracking rig can perform *billions* of
combinator attacks per second. Billions. A dedicated Hashcat rig can
crack your prefix-plus-three-words passwords in low single digit minutes.

As a practical matter, the strength of your system comes from rate
limiting attacks. Even two arbitrarily chosen dictionary words becomes
prohibitively expensive for an attacker when he is limited to a handful
of tries per second, and even more so if you use fail2ban to shut them down.

Or disable password authentication and rely on randomly generated keys
which are far more secure than anything you can keep in your head.

-- 
Rich P.